The UK government has introduced a revised version of post-Brexit data protection reforms in Parliament, which it claims will save organizations £4.7bn over the next decade.
Originally introduced in Parliament in July 2022, the Data Protection and Digital Information Bill was due for a second reading on 5 September – the day the Conservative Party leadership election ended – but was pushed back to “give ministers time to consider the bill “.
The government now claims that the updated bill will introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement, by giving businesses more flexibility in how they comply with the law. data laws, and further reduce the amount of paperwork organizations need to demonstrate compliance.
As a result of the reduction of paperwork, the government says that only organizations whose processing activities are likely to have a high risk to the rights and freedoms of the individual (such as processing large amounts of sensitive data about people’s health) should continue to process the records.
“Designed with business from the ground up, this new bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs,” said the science secretary, innovation and technology Michelle Donelan.
“Our system will be easy to understand, easy to follow, and take advantage of the many opportunities in post-Brexit Britain. There is no need for our businesses and citizens to trouble themselves around the obstacle-based GDPR which is European GDPR [General Data Protection Regulation].
“Our new laws free British businesses from unnecessary red tape to unlock new discoveries, drive next-generation technologies, create jobs and grow our economy.”
The government added that the revised bill will also support increasing international trade without creating additional costs for businesses that already comply with existing data protection rules, as well as increasing public confidence in use of artificial intelligence (AI) technologies by clarifying the circumstances in which safeguards apply. in automatic decision making.
For example, if an automated decision is made without “meaningful human involvement”, an individual can challenge that decision and request that a person review the outcome. However, the government has not specified what meaningful human input looks like.
The government claims that the UK’s current data protection laws are “complex and lack clarity just for automated decision-making and profiling”, making it “difficult for organizations to responsibly use these types of technologies”.
The new regime will also give organizations greater confidence in when they can process personal data without people’s consent, for example, where there is a public interest in sharing personal data to prevent crime or protect the national security.
Civil society reaction
In response to the change and revision of the bill, however, 26 civil society organizations – including the Open Rights Group (ORG), the App Driver’s and Couriers Union, Liberty, Big Brother Watch, and the United Tech and Allied Workers, among others – signed an open letter to Donelan calling for it to be scrapped and returned to the drawing board.
“The latest version of the bill contains multifaceted and poorly considered proposals that put UK residents and UK data protection at risk,” they wrote.
“In recent months, a wave of legislation (related to protest, freedom of speech, etc.) has tried to consolidate power in the hands of the government and corporations at the expense of the rights of every day people. Following that trend, the proposed changes in this bill will reduce the proper management of data processing, harm sensitive information about UK residents, and create opportunities for discrimination against vulnerable people. group.
Specifically, the signatories noted that the bill will change the data protection impact assessment process so that organizations no longer need to consult with data subjects affected by high-risk processing; lower thresholds for organizations to deny subject access requests; and remove the right of individuals not to be subject to automated decision-making.
They added that the government could also interfere with the regulatory function of the Information Commissioner’s Office (ICO), and allow the secretary of state to approve international transfers with little regard for the existence of enforceable rights and effective remedies. .
The secretary of state can also create new legitimate grounds for data processing, which have the potential for abuse.
“Clauses 5 and 6 of the bill will allow the secretary of state to legitimately use data and re-use by statutory instrument (SI) without meaningful parliamentary scrutiny, and without due regard to proportionality or the impact on the rights and freedoms of individuals,” they wrote. .
“ORG’s work with organizations representing over-policed groups reveals how justifications for collecting and retaining data hide outside ordinary criminal justice protocols and target minority groups in more subjective factors.”
Industry reaction
Technology businesses took a more positive view of the bill. TechUK CEO Julian David, for example, said it would bring organizations clarity and flexibility in the use of personal data.
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while maintaining the level of protection of data in accordance with the highest standards in the world, including the adequacy of data in the EU,” said. David.
Chris Combemale, chair of the Bill’s Business Advisory Group and CEO of the Data & Marketing Association (DMA UK), added: “We are confident that the bill should act as a catalyst for innovation and growth, while continuing the strong privacy protection across the UK – an important balance that will build consumer confidence in the digital economy.”
The revised bill was also welcomed by the information commissioner, John Edwards, who said he supported “its ambition to enable organizations to grow and innovate while maintaining high standards of data protection rights. Data protection law must give people the confidence to share their information to use the products and services that drive our economy and society.
“The bill will ensure that my office can continue to act as a credible, fair and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are articulated in the bill as it progresses through travel to Parliament.